Tuesday, 23 October 2012

Analysis of TDL4 (Part III)

More About steganography

A closer look at the COM32 component of TDL4, a component that decrypts configuration text from the JPEG images hosted at imageshack.us and posted into the blogs, reveals that COM32 is a rip-off of the open source project called Steghide - a steganography program, developed by Stefan Hetzl.

Because COM32 is compiled from the publicly available source files, you don't even need to download COM32 module to decrypt the images. Just download the Steghide software, and run it against a JPEG image that can be found on TDL4 blogs.

For example, configuration text from the images 1, 2, and 3 can be recovered by running Steghide as:

steghide.exe extract -sf image.jpg -p A6rprm09lZnVsCn -xf config.txt

Text from another blog's images (4, 5, and 6) can be obtained by running Steghide as:

steghide.exe extract -sf image.jpg -p TOWasfO03gGff58 -xf config.txt

where A6rprm09lZnVsCn and TOWasfO03gGff58 are the passphrases resulted after decrypting the strings jt5G/KE25R1VSaYny0rr and m6dj7aA9mhQKdI8X3jy9 from the original configuration file by using RC4 key #1.

BBR232/BBR264 and SERF332/SERF364

These additional modules are downloaded from C&C servers and then loaded into the address space of the browsers. Their purpose is to hijack browsing activity and to re-direct users into various dodgy websites, skewing Google search results, and also serving pop-ups with fake AV products, porn, gambling sites, etc.

Once decrypted the same way as demonstrated in the previous blog post, BBR232 reveals itself as a module that hijacks Internet Explorer, Chrome, Safari, Opera, Firefox, and Opera browsers. SERF332 is designed for Internet Explorer only as it relies on parsing the window structure of the browser process. BBR264 and SERF364 modules are designed to support 64-bit versions of the browsers.

BBR232 will make sure the host name does not contain any of the following strings:

yimg.

rds.yahoo.

google.

.google

bing.

yahoo.

atdmt.

aolcdn.

atwola.com

.aol.

dmn.aol.

sa.aol.

.icq.

dw.com.

.gstatic.

img.youtube.

i.i.com.

google-analytics.com

.everesttech.

.ixnp.

googleapis.

.alexametrics.

scorecardresearch.com

alltheweb.

altavista.

microsofttranslator.

microsofttranslator.

askcache.

searchapi.search.aol.

cc.msnscache.com

.googlehosted.com

gesualdo.alexa.

BBR232 will also make sure that the requested web page is not pre-fetched by the browser.

In addition, it makes sure the URL string does not include the following strings:

search/cache

/search/search

search/redir

counter.yadro.ru

gstatic.com/inputtools

recaptcha_ajax.js

icq.com/js/cookie_lib.js

survey.122.2o7.net

fls.doubleclick.net

alexa.com

facebook.

Next, BBR232 is able to modify the requested URL by replacing the HTTP referer in it, or replacing some URL parameters, such as "url=". The hijacking logic of what needs to be modified in the browser session is defined by a configuration file, where page redirects or HTTP referer replacements are defined in the sections enclosed with the tags [redir_urls_begin]/[redir_urls_end], and [ref_replace_begin]/[ref_replace_end] respectively. The redirect configuration may potentially be fetched from the servers:

wanstatcteery.com

wahinotisifatu.com

owtotmyne.com

As a result, when the user clicks a link returned by Google Search, the "url=" parameter will be replaced with a different web page, leading to skewed analytics, fraudulent monetization via AdSense, clickjacking, Search Engine Optimisation (SEO) poisoning, and other click fraud that constitutes the "cash cow" business for the TDL/TDSS group.